Some Talks from Shmoocon

Stranger in a Strange Land: Reflections on a Linux Guy's First Year at Microsoft, Crispin Cowan

Microsoft security was not a priority before the 2002 memo. The open source reality is that there are rarely "many eyes to make bugs shallow" (except for the largest most popular projects) and that companies like Microsoft pay people to do this. Consider the failed Sardonyx project which attempted to be "the Slashdot of source code auditing". (He did not mention the successful Coverity scan).

He discussed some of the problems in the Windows architecture: heavy reliance on thread inspection, windows messaging, and the amount of services using impersonization privilege or administrative privilege. UAC is fixing the dependence on admininstrator, however this is something Unix users are used to but Windows users are not.

The Unix process model is mostly sound except for ptrace(2). The X11 architecture is not secure.

They Took my Laptop! US Search and Seizure Explained, Tyler Pitchford

When crossing the US border, your laptop is legally the same as a container (in terms of search and seizure). In US v. Boucher it was argued that an encryption key is a product of the mind rather than a tangible device.

Security vs Usability: False Paradigms of Lazyness, Dead Addict

Developers should not create dialogue boxes that interrupt users when they are trying to complete a task. If they don't know what they're doing (or its security implications), the dialogue will just confuse them. If they do know what they're doing, the dialogue will just irritate them.

Storming the Ivy Tower: How to Hack Your Way into Academia, Sandy Clark

For research, hackers need to know what other relevant references are out there and how their work is different. Academics want hackers who are doing interesting work, but don't necessarily know how to approach them. Co-authoring and conferences are excellent ways to get your work out there. Remember that the back door is wider than the front door and there's more than one way to continue your academic career.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.

Follow the ups and downs of a BSD sysadmin, trainer, author and advocate while gaining insight into the BSD community and what it ...
more

Follow the ups and downs of a BSD sysadmin, trainer, author and advocate while gaining insight into the BSD community and what it is like to live in the shadow of Linux, BSD's younger but flashier cousin.
less

Receive the latest blog posts:

Share Your Perspective

Share your professional knowledge and experience with peers. Start a blog on Toolbox for IT today!